[Owasp-modsecurity-core-rule-set] patch for 2.2.5 CRS modsecurity_crs_16_session_hijacking.conf

Ben WIlliams benwilliams+owasp at joobworld.com
Sun Nov 11 21:15:43 UTC 2012

Here are a couple of fixes I've made to the session hijacking CRS
2.2.5 rules in use with modsecurity 2.6.8.
Some of our cookie names have been changed, so ASPSESSIONIDXXX did not
match in RESPONSE_HEADERS:/Set-Cookie2?/ but did match in

Also there is a bug related to comparisons on collection keys that do
not exist. When a request contains a cookie that has not been saved to
the SESSION collection before, the intention is for tx.anomaly_score
to be incremented by 5 (critical) and the rest of the checks skipped,
but this does not happen. Any test on a collection key that does not
exist always returns false. This means the test on SESSION:VALID "!@eq
1" returns false, when the intention is for it to return true if the
session cookie has not been seen before.  And the following rules in
the block are run which triggers 981059,981060,981061 to return true
since it is a new session collection withou ip_hash or ua_hash keys.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: modsecurity_crs_16_session_hijacking.conf.patch
Type: application/octet-stream
Size: 2187 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20121112/7c94fbc7/attachment.obj>

More information about the Owasp-modsecurity-core-rule-set mailing list